auth: replace GITHUB_TOKEN with gh auth login (#46)

Author: benvinegar

.env.schema

@@ -31,13 +31,6 @@ GEMINI_API_KEY=
 # @docs(https://opencode.ai)
 OPENCODE_ZEN_API_KEY=
 
-# ── GitHub ───────────────────────────────────────────────────────────────────
-
-# GitHub Personal Access Token (classic ghp_ or fine-grained github_pat_)
-# @required @type=string
-# @docs(https://github.com/settings/tokens)
-GITHUB_TOKEN=
-
 # ── Slack ────────────────────────────────────────────────────────────────────
 
 # Slack bot OAuth token

CONFIGURATION.md

@@ -23,9 +23,13 @@ Set at least one. Multiple can coexist — switch models at runtime via `/model`
 
 ### GitHub
 
-| Variable | Description | How to get it |
-|----------|-------------|---------------|
-| `GITHUB_TOKEN` | GitHub Personal Access Token | [github.com/settings/tokens](https://github.com/settings/tokens) — create a fine-grained token scoped to the repos you want the agent to access. Minimum scopes: `contents: write`, `pull_requests: write`, `issues: write`. |
+The agent uses the `gh` CLI for PRs, checks, and issues. Authenticate with:
+
+```bash
+sudo -u baudbot_agent gh auth login
+```
+
+This uses the device code flow — it shows a code, you visit [github.com/login/device](https://github.com/login/device) on your browser. The token is stored in `~/.config/gh/hosts.yml` (not in `.env`).
 
 The agent also uses an SSH key (`~/.ssh/id_ed25519`) for git push. Setup generates one automatically. Add the public key to **Settings → SSH keys** on the GitHub account the agent will push as.
 
@@ -133,8 +137,7 @@ ANTHROPIC_API_KEY=sk-ant-...
 # GEMINI_API_KEY=...
 # OPENCODE_ZEN_API_KEY=...
 
-# GitHub
-GITHUB_TOKEN=ghp_...
+# GitHub: authenticate with `sudo -u baudbot_agent gh auth login`
 
 # Slack
 SLACK_BOT_TOKEN=xoxb-...

SECURITY.md

@@ -117,7 +117,7 @@ Slack @mention
 | Secret | Location | Perms | Purpose |
 |--------|----------|-------|---------|
 | LLM API key(s) | `~/.config/.env` | `600` | LLM API access (one or more of: `ANTHROPIC_API_KEY`, `OPENAI_API_KEY`, `GEMINI_API_KEY`, `OPENCODE_ZEN_API_KEY`) |
-| `GITHUB_TOKEN` | `~/.config/.env` | `600` | GitHub PAT (scoped to agent account) |
+| GitHub OAuth token | `~/.config/gh/hosts.yml` | `600` | `gh` CLI auth (via `gh auth login`) |
 | `AGENTMAIL_API_KEY` | `~/.config/.env` | `600` | AgentMail inbox access |
 | `KERNEL_API_KEY` | `~/.config/.env` | `600` | Kernel cloud browsers |
 | `BAUDBOT_SECRET` | `~/.config/.env` | `600` | Email authentication shared secret |

bin/ci/setup-arch.sh

@@ -20,7 +20,9 @@ sudo -u baudbot_admin bash -c 'cd ~/baudbot && git init -q && git config user.em
 
 echo "=== Running install.sh ==="
 # Simulate interactive input: admin user, required secrets, skip optionals, decline launch
-printf 'baudbot_admin\nsk-ant-testkey\n\n\n\nghp_testtoken\nxoxb-test\nxapp-test\nU01TEST\n\n\n\n\nn\n' \
+# Prompts: admin user, Anthropic, OpenAI(skip), Gemini(skip), OpenCode(skip),
+#   Slack bot, Slack app, Slack users, AgentMail(skip), email(skip), Sentry(skip), Kernel(skip), launch(n)
+printf 'baudbot_admin\nsk-ant-testkey\n\n\n\nxoxb-test\nxapp-test\nU01TEST\n\n\n\n\nn\n' \
   | bash /home/baudbot_admin/baudbot/install.sh
 
 echo "=== Verifying install ==="

bin/ci/setup-ubuntu.sh

@@ -31,7 +31,9 @@ sudo -u baudbot_admin bash -c 'cd ~/baudbot && git init -q && git config user.em
 
 echo "=== Running install.sh ==="
 # Simulate interactive input: admin user, required secrets, skip optionals, decline launch
-printf 'baudbot_admin\nsk-ant-testkey\n\n\n\nghp_testtoken\nxoxb-test\nxapp-test\nU01TEST\n\n\n\n\nn\n' \
+# Prompts: admin user, Anthropic, OpenAI(skip), Gemini(skip), OpenCode(skip),
+#   Slack bot, Slack app, Slack users, AgentMail(skip), email(skip), Sentry(skip), Kernel(skip), launch(n)
+printf 'baudbot_admin\nsk-ant-testkey\n\n\n\nxoxb-test\nxapp-test\nU01TEST\n\n\n\n\nn\n' \
   | bash /home/baudbot_admin/baudbot/install.sh
 
 echo "=== Verifying install ==="

bin/config.sh

@@ -189,12 +189,6 @@ fi
 
 echo ""
 
-prompt_secret "GITHUB_TOKEN" \
-  "GitHub personal access token" \
-  "https://github.com/settings/tokens" \
-  "required" \
-  "ghp_|github_pat_"
-
 prompt_secret "SLACK_BOT_TOKEN" \
   "Slack bot token" \
   "https://api.slack.com/apps → OAuth & Permissions" \
@@ -286,7 +280,6 @@ ordered_keys=(
   OPENAI_API_KEY
   GEMINI_API_KEY
   OPENCODE_ZEN_API_KEY
-  GITHUB_TOKEN
   SLACK_BOT_TOKEN
   SLACK_APP_TOKEN
   SLACK_ALLOWED_USERS

bin/doctor.sh

@@ -68,6 +68,16 @@ else
   warn "docker not found (optional, needed for container tasks)"
 fi
 
+if command -v gh &>/dev/null; then
+  if sudo -u baudbot_agent gh auth status &>/dev/null; then
+    pass "gh cli authenticated"
+  else
+    warn "gh cli installed but not authenticated (run: sudo -u baudbot_agent gh auth login)"
+  fi
+else
+  fail "gh cli not found"
+fi
+
 # ── Secrets ──────────────────────────────────────────────────────────────────
 
 echo ""
@@ -117,7 +127,7 @@ if [ -f "$ENV_FILE" ]; then
   fi
 
   # Check required keys
-  for key in GITHUB_TOKEN SLACK_BOT_TOKEN SLACK_APP_TOKEN SLACK_ALLOWED_USERS; do
+  for key in SLACK_BOT_TOKEN SLACK_APP_TOKEN SLACK_ALLOWED_USERS; do
     if grep -q "^${key}=.\+" "$ENV_FILE" 2>/dev/null; then
       pass "$key is set"
     else

bin/harden-permissions.sh

@@ -63,6 +63,10 @@ fix_file "$HOME/.pi/agent/settings.json" "600"
 # Secrets
 fix_file "$HOME/.config/.env" "600"
 
+# GitHub CLI token (gh auth login stores token here)
+fix_dir "$HOME/.config/gh" "700"
+fix_file "$HOME/.config/gh/hosts.yml" "600"
+
 # SSH (should already be correct from setup.sh)
 fix_dir "$HOME/.ssh" "700"
 find "$HOME/.ssh" -name 'id_*' -not -name '*.pub' -exec chmod 600 {} + 2>/dev/null

install.sh

@@ -128,14 +128,14 @@ install_prereqs_ubuntu() {
     done
   fi
   apt-get update -qq
-  apt-get install -y -qq git curl tmux iptables docker.io sudo 2>&1 | tail -3
+  apt-get install -y -qq git curl tmux iptables docker.io gh sudo 2>&1 | tail -3
 }
 
 install_prereqs_arch() {
-  pacman -Syu --noconfirm --needed git curl tmux iptables docker sudo 2>&1 | tail -5
+  pacman -Syu --noconfirm --needed git curl tmux iptables docker github-cli sudo 2>&1 | tail -5
 }
 
-info "Installing: git, curl, tmux, iptables, docker, sudo"
+info "Installing: git, curl, tmux, iptables, docker, gh, sudo"
 "install_prereqs_$DISTRO"
 info "Prerequisites installed"
 
@@ -212,7 +212,7 @@ fi
 if [ "$HAS_LLM" = false ]; then
   MISSING+="  - LLM key (ANTHROPIC_API_KEY, OPENAI_API_KEY, GEMINI_API_KEY, or OPENCODE_ZEN_API_KEY)\n"
 fi
-for key in GITHUB_TOKEN SLACK_BOT_TOKEN SLACK_APP_TOKEN SLACK_ALLOWED_USERS; do
+for key in SLACK_BOT_TOKEN SLACK_APP_TOKEN SLACK_ALLOWED_USERS; do
   if ! grep -q "^${key}=.\+" "$ENV_FILE" 2>/dev/null; then
     MISSING+="  - $key\n"
   fi
@@ -273,5 +273,8 @@ if [ -f "$SSH_PUB" ]; then
   echo -e "     ${DIM}https://github.com/settings/keys${RESET}"
   echo ""
 fi
+echo -e "  ${YELLOW}⚠${RESET}  Authenticate GitHub CLI:"
+echo -e "     sudo -u baudbot_agent gh auth login"
+echo ""
 echo -e "  ${DIM}Full configuration reference: $REPO_DIR/CONFIGURATION.md${RESET}"
 echo ""

pi/skills/control-agent/SKILL.md

@@ -13,7 +13,7 @@ You are **Baudbot**, a control-plane agent. Your identity:
 
 - You are running as unix user `baudbot_agent` in `/home/baudbot_agent`
 - **Docker**: Use `sudo /usr/local/bin/baudbot-docker` instead of `docker` (a security wrapper that blocks privilege escalation)
-- **GitHub**: SSH access via `~/.ssh/id_ed25519`, PAT available as `$GITHUB_TOKEN`
+- **GitHub**: SSH access via `~/.ssh/id_ed25519`, `gh` CLI authenticated via `gh auth login`
 - **No sudo** except for the docker wrapper
 - **Session naming**: Your session name is set automatically by the `auto-name.ts` extension via the `PI_SESSION_NAME` env var. Do NOT try to run `/name` — it's an interactive command that won't work.